@ -35,6 +35,7 @@
\newcommand { \term } [1]{ \textsl { #1} \xspace }
\newcommand { \termbf } [1]{ \textbf { #1} \xspace }
\newcommand { \conformance } [1]{ \textmd { #1} \xspace }
\newcommand { \Zcash } { \termbf { Zcash} }
\newcommand { \Zerocash } { \termbf { Zerocash} }
@ -42,6 +43,12 @@
\newcommand { \ZEC } { \termbf { ZEC} }
\newcommand { \zatoshi } { \term { zatoshi} }
\newcommand { \MUST } { \conformance { MUST} }
\newcommand { \MUSTNOT } { \conformance { MUST NOT} }
\newcommand { \SHOULD } { \conformance { SHOULD} }
\newcommand { \SHOULDNOT } { \conformance { SHOULD NOT} }
\newcommand { \MAY } { \conformance { MAY} }
\newcommand { \coin } { \term { coin} }
\newcommand { \coins } { \term { coins} }
\newcommand { \coinCommitment } { \term { coin commitment} }
@ -67,15 +74,18 @@
\newcommand { \script } { \term { script} }
\newcommand { \serialNumber } { \term { serial number} }
\newcommand { \serialNumbers } { \term { serial numbers} }
\newcommand { \publicAddress } { \term { confidential address} }
% Let's rename ``privateAddress'' to something else, since it sounds like an oxymoron to me. (This is related to a code naming issue #602 and we might want to update both at the same time.)
\newcommand { \privateAddress } { \term { confidential private key} }
% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
\newcommand { \paymentAddress } { \term { payment address} }
\newcommand { \viewingKey } { \term { viewing key} }
\newcommand { \spendingKey } { \term { spending key} }
\newcommand { \keyTuple } { \term { key tuple} }
\newcommand { \coinPlaintext } { \term { coin plaintext} }
\newcommand { \coinPlaintexts } { \term { coin plaintexts} }
\newcommand { \coinsCiphertext } { \term { transmitted coins ciphertext} }
\newcommand { \transmitPublicAlgorithm } { \term { key-private encryption} }
\newcommand { \transmitPrivateAlgorithm } { \term { key-private decryption} }
\newcommand { \spendAuthority } { \term { spend authority} }
\newcommand { \authKeypair } { \term { authorization} }
\newcommand { \transmitKeypair } { \term { transmission} }
\newcommand { \discloseKeypair } { \term { disclosure} }
\newcommand { \keyPrivateAlgorithm } { \term { key-private encryption scheme} }
\newcommand { \incrementalMerkleTree } { \term { incremental merkle tree} }
\newcommand { \spentSerialsMap } { \term { spent serial numbers map} }
\newcommand { \zkSNARK } { \term { zk-SNARK} }
@ -83,24 +93,26 @@
\newcommand { \memo } { \term { memo field} }
% key pairs:
\newcommand { \PublicAddress } { \mathsf { addr_ { pk} } }
\newcommand { \PrivateAddress } { \mathsf { addr_ { sk} } }
\newcommand { \PublicAddressLeadByte } { \mathbf { 0x92} }
\newcommand { \PrivateAddressLeadByte } { \mathbf { 0x93} }
\newcommand { \SpendAuthorityPublic } { \mathsf { a_ { pk} } }
\newcommand { \SpendAuthorityPrivate } { \mathsf { a_ { sk} } }
\newcommand { \SpendAuthorityPublicOld } [1]{ \mathsf { a^ { old} _ { pk,\mathnormal { #1} } } }
\newcommand { \SpendAuthorityPrivateOld } [1]{ \mathsf { a^ { old} _ { sk,\mathnormal { #1} } } }
\newcommand { \SpendAuthorityPublicNew } [1]{ \mathsf { a^ { new} _ { pk,\mathnormal { #1} } } }
\newcommand { \SpendAuthorityPrivateNew } [1]{ \mathsf { a^ { new} _ { sk,\mathnormal { #1} } } }
\newcommand { \PaymentAddress } { \mathsf { addr_ { pk} } }
\newcommand { \ViewingKey } { \mathsf { addr_ { viewkey} } }
\newcommand { \SpendingKey } { \mathsf { addr_ { sk} } }
\newcommand { \PaymentAddressLeadByte } { \mathbf { 0x92} }
\newcommand { \ViewingKeyLeadByte } { \mathbf { 0x??} }
\newcommand { \SpendingKeyLeadByte } { \mathbf { 0x93} }
\newcommand { \AuthPublic } { \mathsf { a_ { pk} } }
\newcommand { \AuthPrivate } { \mathsf { a_ { sk} } }
\newcommand { \AuthPublicOld } [1]{ \mathsf { a^ { old} _ { pk,\mathnormal { #1} } } }
\newcommand { \AuthPrivateOld } [1]{ \mathsf { a^ { old} _ { sk,\mathnormal { #1} } } }
\newcommand { \AuthPublicNew } [1]{ \mathsf { a^ { new} _ { pk,\mathnormal { #1} } } }
\newcommand { \AuthPrivateNew } [1]{ \mathsf { a^ { new} _ { sk,\mathnormal { #1} } } }
\newcommand { \TransmitPublic } { \mathsf { pk_ { enc} } }
\newcommand { \TransmitPublicNew } [1]{ \mathsf { pk_ { enc,\mathnormal { #1} } } }
\newcommand { \TransmitPrivate } { \mathsf { sk_ { enc} } }
\newcommand { \TransmitPrivateNew } [1]{ \mathsf { sk_ { enc,\mathnormal { #1} } } }
\newcommand { \View Public } { \mathsf { pk_ { view } } }
\newcommand { \View PublicNew } [1]{ \mathsf { pk_ { view ,\mathnormal { #1} } } }
\newcommand { \View Private } { \mathsf { sk_ { view } } }
\newcommand { \View PrivateNew } [1]{ \mathsf { sk_ { view ,\mathnormal { #1} } } }
\newcommand { \Disclose Public } { \mathsf { pk_ { disclose } } }
\newcommand { \Disclose PublicNew } [1]{ \mathsf { pk_ { disclose ,\mathnormal { #1} } } }
\newcommand { \Disclose Private } { \mathsf { sk_ { disclose } } }
\newcommand { \Disclose PrivateNew } [1]{ \mathsf { sk_ { disclose ,\mathnormal { #1} } } }
\newcommand { \EphemeralPublic } { \mathsf { pk_ { eph} } }
\newcommand { \EphemeralPrivate } { \mathsf { sk_ { eph} } }
\newcommand { \Value } { \mathsf { v} }
@ -258,7 +270,7 @@ ensuring that the functions are independent.
\newsavebox { \addrbox }
\begin { lrbox} { \addrbox }
\begin { bytefield} [bitwidth=0.065em]{ 512}
\bitbox { 242} { 256 bit $ \Spend Authority Private $ } &
\bitbox { 242} { 256 bit $ \AuthPrivate $ } &
\bitbox { 14} { 0} &
\bitbox { 14} { 0} &
\bitbox { 242} { $ 0 ^ { 254 } $ } &
@ -268,7 +280,7 @@ ensuring that the functions are independent.
\newsavebox { \snbox }
\begin { lrbox} { \snbox }
\begin { bytefield} [bitwidth=0.065em]{ 512}
\bitbox { 242} { 256 bit $ \Spend Authority Private $ } &
\bitbox { 242} { 256 bit $ \AuthPrivate $ } &
\bitbox { 14} { 0} &
\bitbox { 14} { 1} &
\bitbox { 242} { $ \Leading { 254 } ( \CoinAddressRand ) $ } &
@ -278,7 +290,7 @@ ensuring that the functions are independent.
\newsavebox { \pkbox }
\begin { lrbox} { \pkbox }
\begin { bytefield} [bitwidth=0.065em]{ 512}
\bitbox { 242} { 256 bit $ \Spend Authority Private $ } &
\bitbox { 242} { 256 bit $ \AuthPrivate $ } &
\bitbox { 14} { 1} &
\bitbox { 14} { 0} &
\bitbox { 14} { $ i $ } &
@ -303,9 +315,9 @@ is associated with this bit-packing.}
\begin { equation*}
\begin { aligned}
\Spend Authority Public & := \PRFaddr { \Spend Authority Private } (0) & = \CRHbox { \addrbox } \\
\sn & := \PRFsn { \Spend Authority Private } (\CoinAddressRand ) & = \CRHbox { \snbox } \\
\h { i} & := \PRFpk { \Spend Authority Private } (i, \hSig ) & = \CRHbox { \pkbox } \\
\AuthPublic & := \PRFaddr { \AuthPrivate } (0) & = \CRHbox { \addrbox } \\
\sn & := \PRFsn { \AuthPrivate } (\CoinAddressRand ) & = \CRHbox { \snbox } \\
\h { i} & := \PRFpk { \AuthPrivate } (i, \hSig ) & = \CRHbox { \pkbox } \\
\setchanged \CoinAddressRandNew { i} & \setchanged := \PRFrho { \CoinAddressPreRand } (i, \hSig )
& \setchanged = \CRHbox { \rhobox }
\end { aligned}
@ -314,43 +326,68 @@ is associated with this bit-packing.}
\daira { Should we instead define $ \CoinAddressRand $ to be 254 bits and $ \hSig $ to be
253 bits?}
\subsection { Confidential Addresses and Private Keys}
\subsection { Payment Addresses, Viewing Keys, and Spending Keys}
A \keyTuple $ ( \PaymentAddress , \ViewingKey , \SpendingKey ) $ is generated
by users who wish to receive payments under this scheme. The parts of
the \keyTuple are composed from three distinct keypairs, called the
\authKeypair , \transmitKeypair , and \discloseKeypair keypairs.
\nathan { This term, \publicAddress , may be confusing by comparison to
a ``private key''. In the latter case the adjective is reminding a
user of their responsibility to protect its privacy, but in the case
of \publicAddress we want users to know ``transfers to this address
are confidential, but the address itself *may* be published or kept
confidential depending on your needs. Two different people can compare
addresses to know they have the same \publicAddress .''}
\begin { itemize}
\item The \paymentAddress $ \PaymentAddress $ is a pair
$ ( \AuthPublic , \TransmitPublic ) $ , containing the \em { public}
components of the \authKeypair and \transmitKeypair keypairs
respectively.
\item The \viewingKey $ \ViewingKey $ is a pair
$ ( \TransmitPrivate , \DisclosePrivate ) $ , containing the \em { private}
components of the \transmitKeypair and \discloseKeypair keypairs
respectively.
\item The \spendingKey $ \SpendingKey $ is a triple
$ ( \AuthPrivate , \TransmitPrivate , \DisclosePrivate ) $ ,
containing the \em { private} components of the \authKeypair ,
\transmitKeypair , and \discloseKeypair keypairs respectively.
\end { itemize}
A key pair $ ( \PublicAddress , \PrivateAddress ) $ is generated by
users who wish to receive coins under this scheme. The tuple parts
embody two distinct keypairs used for different purposes called
the \spendAuthority and the \transmitPublicAlgorithm keypair. The
\publicAddress $ \PublicAddress $ is a tuple $ ( \SpendAuthorityPublic ,
\TransmitPublic )$ , containing the public components of the \spendAuthority
and \transmitPublicAlgorithm respectively. The $ \PrivateAddress $ is
a tuple $ ( \SpendAuthorityPrivate , \TransmitPrivate ) $ , containing the
secret components respectively.
The following diagram depicts the relations between key components.
Arrows point from a private component to the corresponding public
component derived from it.
\nathan { A diagram could really help here.}
\begin { center}
\includegraphics [scale=1] { key_ components}
\end { center}
Note that a \spendingKey holder can derive
$ ( \SpendPublic , \TransmitPublic , \ViewPublic ) $ , and a \viewingKey holder
can derive $ ( \TransmitPublic , \ViewPublic ) $ , even though these components
are not formally part of the respective keys. Implementations \MAY cache
these derived public components, provided that they are deleted if the
corresponding private component is deleted.
The composition of \paymentAddresses , \viewingKeys , and \spendingKeys
is a cryptographic protocol detail that should not normally be
exposed to users. However, user-visible operations should be provided
to:
\begin { itemize}
\item obtain a \viewingKey from a \spendingKey ; and
\item obtain a \publicAddress from a \spendingKey .
\end { itemize}
Users can accept payment from multiple parties with a single
$ \PublicAddress $ and the fact that these payments are destined to
$ \Payment Address $ and the fact that these payments are destined to
the same payee is not revealed on the blockchain, even to the
paying parties. \emph { However} if two parties collude to compare a
$ \PublicAddress $ they can trivially determine they are the same. In the
$ \Payment Address $ they can trivially determine they are the same. In the
case that a payee wishes to prevent this they should create a distinct
\publicAddress for each payer.
\payment Address for each payer.
\subsection { Coins}
A \coin (denoted $ \Coin $ ) is a tuple $ \changed { ( \SpendAuthorityPublic , \Value ,
A \coin (denoted $ \Coin $ ) is a tuple $ \changed { ( \AuthPublic , \Value ,
\CoinAddressRand , \CoinCommitRand )} $ which represents that a value $ \Value $ is
spendable by the recipient who holds the $ \spendAuthority $ key pair
$ ( \SpendAuthorityPublic , \SpendAuthorityPrivate ) $ such that
$ \SpendAuthorityPublic = \PRFaddr { \SpendAuthorityPrivate } ( 0 ) $ .
spendable by the recipient who holds the $ \authorization $ key pair
$ ( \AuthPublic , \AuthPrivate ) $ such that
$ \AuthPublic = \PRFaddr { \AuthPrivate } ( 0 ) $ .
$ \CoinCommitRand $ is randomly generated by the sender. \changed { $ \CoinAddressRand $
is generated from a random seed $ \CoinAddressPreRand $ using
@ -363,9 +400,9 @@ the value and recipient \emph{except} to those who possess these tokens.
In order to transmit the secret $ \Value $ , $ \CoinAddressRand $ , and $ \CoinCommitRand $
(necessary for the recipient to later spend) \changed { and also a \memo } to the
recipient \emph { without} requiring an out-of-band communication channel, the
$ \transmitPublicAlgorithm $ public key $ \TransmitPublic $ is used to encrypt these
$ \transmitAuthority $ public key $ \TransmitPublic $ is used to encrypt these
secrets to form a \coinsCiphertext . The recipient's possession of the associated
$ ( \PublicAddress , \PrivateAddress ) $ (which contains both $ \Spend Authority Public $ and
$ ( \PaymentAddress , \SpendingKey ) $ (which contains both $ \AuthPublic $ and
$ \TransmitPrivate $ ) is used to reconstruct the original \coin \changed { and \memo } .
\changed {
@ -449,14 +486,14 @@ break of the IK-CCA (key privacy) property.
\subsubsection { Coin Commitments}
The underlying $ \Value $ and $ \Spend Authority Public $ are blinded with $ \CoinAddressRand $
The underlying $ \Value $ and $ \AuthPublic $ are blinded with $ \CoinAddressRand $
and $ \CoinCommitRand $ using the collision-resistant hash function $ \CRH $ in a
multi-layered process. The resulting hash $ \cm = \CoinCommitment { \Coin } $ .
\newsavebox { \ihbox }
\begin { lrbox} { \ihbox }
\begin { bytefield} [bitwidth=0.08em]{ 512}
\bitbox { 256} { 256 bit $ \Spend Authority Public $ } &
\bitbox { 256} { 256 bit $ \AuthPublic $ } &
\bitbox { 256} { 256 bit $ \CoinAddressRand $ }
\end { bytefield}
\end { lrbox}
@ -489,8 +526,8 @@ multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
\subsubsection { Serial numbers}
A \serialNumber (denoted $ \sn $ ) equals
$ \PRFsn { \Spend Authority Private } ( \CoinAddressRand ) $ . A \coin is spent by proving
knowledge of $ \CoinAddressRand $ and $ \Spend Authority Private $ in zero knowledge while
$ \PRFsn { \AuthPrivate } ( \CoinAddressRand ) $ . A \coin is spent by proving
knowledge of $ \CoinAddressRand $ and $ \AuthPrivate $ in zero knowledge while
disclosing $ \sn $ , allowing $ \sn $ to be used to prevent double-spending.
\subsection { Coin Commitment Tree}
@ -621,7 +658,7 @@ $\cmNew{\mathrm{1}..\NNew}$.
(\changed { $ \ephemeralKey $ and} $ \ciphertexts $ together form the \coinsCiphertext .)
\item $ \vmacs $ which is a $ \NOld $ size sequence of message authentication tags
$ \h { \mathrm { 1 } .. \NOld } $ that bind $ \hSig $ to each $ \Spend Authority Private $ of the
$ \h { \mathrm { 1 } .. \NOld } $ that bind $ \hSig $ to each $ \AuthPrivate $ of the
$ \PourDescription $ .
\item $ \zkproof $ which is the zero-knowledge proof $ \PourProof $ .
@ -695,15 +732,15 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$.
A valid instance of $ \PourProof $ assures that given a \term { primary input}
$ ( \rt , \snOld { \mathrm { 1 } .. \NOld } , \cmNew { \mathrm { 1 } .. \NNew } , \changed { \vpubOld , \; }
\vpubNew , \hSig , \h { 1..\NOld } )$ , a witness of \term { auxiliary input }
$ ( \treepath { 1 .. \NOld } , \cOld { 1 .. \NOld } , \Spend Authority PrivateOld { \mathrm { 1 } .. \NOld } ,
$ ( \treepath { 1 .. \NOld } , \cOld { 1 .. \NOld } , \AuthPrivateOld { \mathrm { 1 } .. \NOld } ,
\cNew { 1..\NNew } \changed { , \CoinAddressPreRand } )$ exists, where:
\begin { list} { } { }
\item for each $ i \in \{ 1 .. \NOld \} $ : $ \cOld { i } $ = $ ( \Spend Authority PublicOld { i } ,
\item for each $ i \in \{ 1 .. \NOld \} $ : $ \cOld { i } $ = $ ( \AuthPublicOld { i } ,
\vOld { i} , \CoinAddressRandOld { i} , \CoinCommitRandOld { i} )$
\item for each $ i \in \{ 1 .. \NNew \} $ : $ \cNew { i } $ = $ ( \Spend Authority PublicNew { i } ,
\item for each $ i \in \{ 1 .. \NNew \} $ : $ \cNew { i } $ = $ ( \AuthPublicNew { i } ,
\vNew { i} , \CoinAddressRandNew { i} , \CoinCommitRandNew { i} )$
\item The following conditions hold:
@ -723,16 +760,16 @@ $\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew}
\subparagraph { Serial integrity}
for each $ i \in \{ 1 .. \NNew \} $ :
$ \snOld { i } = \PRFsn { \Spend Authority PrivateOld { i } } ( \CoinAddressRandOld { i } ) $ .
$ \snOld { i } = \PRFsn { \AuthPrivateOld { i } } ( \CoinAddressRandOld { i } ) $ .
\subparagraph { Spend authority}
for each $ i \in \{ 1 .. \NOld \} $ :
$ \Spend Authority PublicOld { i } = \PRFaddr { \Spend Authority PrivateOld { i } } ( 0 ) $ .
$ \AuthPublicOld { i } = \PRFaddr { \AuthPrivateOld { i } } ( 0 ) $ .
\subparagraph { Non-malleability}
for each $ i \in \{ 1 .. \NOld \} $ : $ \h { i } $ = $ \PRFpk { \Spend Authority PrivateOld { i } } ( i, \hSig ) $
for each $ i \in \{ 1 .. \NOld \} $ : $ \h { i } $ = $ \PRFpk { \AuthPrivateOld { i } } ( i, \hSig ) $
\changed {
\subparagraph { Uniqueness of $ \CoinAddressRandNew { i } $ }
@ -769,8 +806,8 @@ These are encoded in the same way as in \Bitcoin \cite{Base58Check}.
\subsection { Confidential Public Addresses}
A \public Address consists of $ \Spend Authority Public $ and $ \TransmitPublic $ .
$ \Spend Authority Public $ is a SHA-256 compression function output.
A \payment Address consists of $ \AuthPublic $ and $ \TransmitPublic $ .
$ \AuthPublic $ is a SHA-256 compression function output.
$ \TransmitPublic $ is a \changed { Curve25519} public key, for use with the
encryption scheme defined in section ``In-band secret distribution".
@ -780,18 +817,18 @@ The raw encoding of a confidential address consists of:
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 520}
\bitbox { 48} { \changed { $ \Public AddressLeadByte $ } } &
\bitbox { 256} { $ \Spend Authority Public $ (32 bytes)} &
\bitbox { 48} { \changed { $ \Payment AddressLeadByte $ } } &
\bitbox { 256} { $ \AuthPublic $ (32 bytes)} &
\bitbox { 256} { A \changed { 32-byte} encoding of $ \TransmitPublic $ }
\end { bytefield}
\end { equation*}
\begin { itemize}
\changed {
\item A byte, $ \Public AddressLeadByte $ , indicating this version of the
\item A byte, $ \Payment AddressLeadByte $ , indicating this version of the
raw encoding of a \Zcash public address.
}
\item 32 bytes specifying $ \Spend Authority Public $ .
\item 32 bytes specifying $ \AuthPublic $ .
\item \changed { 32 bytes} specifying $ \TransmitPublic $ , \changed { using the
normal encoding of a Curve25519 public key \cite { Curve25519} } .
\end { itemize}
@ -803,8 +840,8 @@ and produces `z' as the Base58Check leading character.}
\subsection { Confidential Address Secrets}
A confidential address secret consists of $ \Spend Authority Private $ and
$ \TransmitPrivate $ . $ \Spend Authority Private $ is a SHA-256 compression function
A confidential address secret consists of $ \AuthPrivate $ and
$ \TransmitPrivate $ . $ \AuthPrivate $ is a SHA-256 compression function
output. $ \TransmitPrivate $ is a \changed { Curve25519} private key, for use with
the encryption scheme defined in section ``In-band secret distribution".
@ -814,18 +851,18 @@ The raw encoding of a confidential address secret consists of, in order:
\begin { equation*}
\begin { bytefield} [bitwidth=0.07em]{ 520}
\bitbox { 48} { \changed { $ \PrivateAddress LeadByte $ } } &
\bitbox { 256} { $ \Spend Authority Private $ (32 bytes)} &
\bitbox { 48} { \changed { $ \SpendingKey LeadByte $ } } &
\bitbox { 256} { $ \AuthPrivate $ (32 bytes)} &
\bitbox { 256} { $ \TransmitPrivate $ (32 bytes)}
\end { bytefield}
\end { equation*}
\begin { itemize}
\changed {
\item A byte $ \PrivateAddress LeadByte $ indicating this version of the
\item A byte $ \SpendingKey LeadByte $ indicating this version of the
raw encoding of a \Zcash private key.
}
\item 32 bytes specifying $ \Spend Authority Private $ .
\item 32 bytes specifying $ \AuthPrivate $ .
\item 32 bytes specifying $ \TransmitPrivate $ .
\end { itemize}
@ -840,7 +877,7 @@ Transmitted coins are stored on the blockchain in encrypted form, together with
a \coinCommitment $ \cm $ .
The \coinPlaintexts associated with a \PourDescription are encrypted to the
respective \transmitPublicAlgorithm keys $ \TransmitPublicNew { \mathrm { 1 } .. \NNew } $ ,
respective \transmitAuthority keys $ \TransmitPublicNew { \mathrm { 1 } .. \NNew } $ ,
and the result forms a \coinsCiphertext .
Each \coinPlaintext consists of $ ( \Value , \CoinAddressRand , \CoinCommitRand \changed { , \Memo } ) $ ,
@ -849,7 +886,7 @@ where:
\begin { itemize}
\item $ \Value $ is a 64-bit unsigned integer representing the value of the
\coin in \zatoshi (1 \ZEC = $ 10 ^ 8 $ \zatoshi ).
\item $ \CoinAddressRand $ is a 32-byte $ \PRFsn { \Spend Authority Private } $ preimage.
\item $ \CoinAddressRand $ is a 32-byte $ \PRFsn { \AuthPrivate } $ preimage.
\item $ \CoinCommitRand $ is a 48-byte \COMMtrapdoor .
\changed {
\item $ \Memo $ is a 64-byte \memo associated with this \coin .
@ -915,9 +952,9 @@ TBD.
\item Instead of ECIES, we use an encryption scheme based on $ \CryptoBox $ ,
defined in section ``In-band secret distribution".
\item Faerie Gold fix (TBD).
\item The paper defines a coin as a tuple $ ( \Spend Authority Public , \Value ,
\item The paper defines a coin as a tuple $ ( \AuthPublic , \Value ,
\CoinAddressRand , \CoinCommitRand , \CoinCommitS , \cm )$ , whereas this specification
defines it as $ ( \Spend Authority Public , \Value , \CoinAddressRand , \CoinCommitRand ) $ .
defines it as $ ( \AuthPublic , \Value , \CoinAddressRand , \CoinCommitRand ) $ .
This is just a clarification, because the instantiation of $ \COMM { \CoinCommitS } $
in section 5.1 of the paper does not use $ \CoinCommitS $ , and $ \cm $ can be computed
from the other fields.